General
-
Target
a20ae981add30ca8ca3ff698bc6afcf5a6e650fa5848f5f82839171e39495b78
-
Size
418KB
-
Sample
220521-n3f57ahffk
-
MD5
03071dc17e2366ceb5cf5968ae4dd186
-
SHA1
0135b9682db4667e961bd1746ce23004096dff8d
-
SHA256
a20ae981add30ca8ca3ff698bc6afcf5a6e650fa5848f5f82839171e39495b78
-
SHA512
573c316b3e2a42f7f3baa2f0130945bd41b83ed656a2c4ef679ac103dfa2413bdd7e73883264b2a3d3333e6156185002e40443395d60a8959d848e3ae403773d
Static task
static1
Behavioral task
behavioral1
Sample
mXb7YbGSNVuPq6D.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
mXb7YbGSNVuPq6D.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
kclogs2020@yandex.com - Password:
j4k4rtakc
Targets
-
-
Target
mXb7YbGSNVuPq6D.exe
-
Size
509KB
-
MD5
b5b4f6b0c037dbd2f1c780d003e2048c
-
SHA1
6cf7271e167a649fcd60f016a3e23d0d6a08a2ac
-
SHA256
38a5466ed6bf2ea0c3e206b7ce9520da9c0104fbe0ddc33012ef73087e0c754c
-
SHA512
fec5dde56e01735e4cca1ea17c106b003c27f02ef38abd60a9768a22344a1c580f14fc48b016770db0d9f1287213d14386321daee857bc5cc37032989e4e512b
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-